Unable to successfully verify all routing table modifications are correct.

A user connecting from Vista 64 with the Cisco AnyConnect client was getting a “The VPN client was unable to successfully verify the IP forwarding table modifications. A VPN connection will not be established.” error when trying to connect. No changes had been made to the concentrator configuration which is an asa5520 running 8.0(3).

Via ASDM, there was a syslog notification of “SVC Message: 17/ERROR: Unable to successfully verify all routing table modifications are correct.”

Also annoyingly, the license only supports 2 clientless ssl vpn connections and the ssl vpn client appears to use a clientless connection initally which fails to shut down then the ssl client fails to connect, which prevents future logins with not error on the client side due to the licensing.

I found this article which linked the proble to Adobe Photoshop. The user had installed the photoshop trial recently and when he disabled bonjour for windows, which was installed by photoshop, the VPN worked fine.

I installed Bonjour on XP 32bit and could not reproduce the problem. Perhaps it’s a Vista 64 issue. It’s a small enough of an edge case that I don’t think I’ll try to reproduce.

User says: “it had a really odd name #1_Service_name###. it was added when I installed Adobe”

The BonJour printing server is the problem, it gets installed with Itunes and countless Adobe products. Just disable the service and it will work just fine. Also some of the Adobe products install the Service name as either “Bonjour Printing Service” or “###(something that begins with that). I would recommend searching the registry for “mdnsresponder.exe” and finding the service name that way.

I tried open up a TAC case requesting that it detect such crap and provide a more useful error message to those users to reduce the number of support calls I get about it. Unfortunately I can’t open TAC cases for serial numbers that I haven’t gotten the contract numbers added to my account yet and I can’t find a simple way to track them down either.

The problem happens when Bonjour modifies the routing table after we have which would break vpn connectivity. This is why the error pops up. This issue was fixed three days so unfortunately it has not been integrated into a released version of Anyconnect as of yet. We have made changes to work around these third party applications that modify the routing table. This fix should be added to the next release which is due out in a few months.

Here is the bug id: CSCsj91840 – Anyconnect on Vista fails with Apple Bonjour service and wireless

I will go ahead and put the case in a Release Pending state so I can notify you once the new Anyconnect is released.

I wrote back:Awesome, thanks. I had looked for a bug id a week or two ago but couldn’t find one and had to deal with service contract numbers to get this far. That’s exactly what I’m looking for.

It may be worth nothing that this error happens for my users on connect every time, so it’s not breaking vpn connectivity, it’s just not allowing it. I’ll keep an eye out for that next build.

They replied:That is by design. The reason it does not allow it is because if it did you wouldn’t be able to pass traffic through the vpn adapter. We also could not guarantee a secure connection is an application modified the routing table after we did. We have to disconnect the connection is a change was made.

If you have a CCO account and are logged in, you can see the bug here.

Here’s the current bug for those that don’t though: Anyconnect on Vista fails with Apple Bonjour service and wirelessSymptom:Anyconnect fails with the error ‘failed to verify IP forwarding table modification”

or

‘the VPN client was unable to successfully verify the IP forwarding table modification. a VPN connection will not be established’

Conditions:

Software that uses Apple’s Bonjour networking service cause a conflict:

To disable the service:net stop “Bonjour Service” from command line to temporarily turn of the Bonjour service and then restart it after the tunnel is established.

In the first two suggestions, the Version Cue Servers cannot be automatically discovered. However, you can still access these servers directly by using Connect To Server option and entering the url of the machine.

Thank you! I also could only find this issue explained and resolved here. However, I can’t get the 2.2 software from Demonoid, they are closed for registrations. Anyone have another suggestion for download for me?

Thanks guys. I have anyconnect and updated to SP1 on Vista and it stopped working (Error was “unable to successfully verify the IP forwarding table modifications”).

When I updated to SP1 it also prompted me to update itunes which, obvious to me now, installed Bonjour (French for bye bye VPN). After disabling Bonjour in my services menu, the anyconnect client starting working again.

Thanks a lot for putting this note out. I have been struggling for the past 2 days to get this issue fixed. I have this issue even though I am on a 32 Bit vista version. This worked like a charm and is a big relief for me now.

Thanks. I was having the problem listed above and went to Vistas problem solving site and there were no solutions. Went to Google as my last ditch effort and your site came up. I have ITunes, Vista, and a wireless network (exactly as described) and once Bonjour was disabled AnyConnect worked like a charm.

This was a HUGE help and fixed the issue that two of my co-workers were having. We are running XP SP2 and SP3 and one co-worker had iTunes and the other had the Adobe CS3 suite. Thanks for the article!

I also received the following message: “The VPN client was unable to successfully verify the IP forwarding table modifications. A VPN connection will not be established.” Thinking I somehow had Bonjour installed, I then searched the registry for “mdnsresponder.exe”. The entry it found was my TiVo Desktop. So I removed TiVo and now everything works. So TiVo is apparently doing the same thing as Bonjour does.

I am having the same issue as Kevin. I deleted itunes and all other Apple software. Deleted all bonjour on the machine and registry instances of it. Any idea what else could be causing this issue? It worked last semester, but something happened over the summer that caused it to stop working.

I just had this same issue on my CEO’s computer, he did not have Bonjour, CS3 or anything like that, on a Hard wired connection. The only way I could fix the issue was to uninstall the software and then have it reinstall via the firewall.

This started happening a lot after we switched all our laptops from XP to Windows 7. Nobody’s running Bonjour or any Adobe product other than Reader. A reboot fixes the problem, but it’s very annoying.

atlast I traced it down for mr.. I was getting the same error and did a search in the registry for bonjour and found that the apple safari was the one causing this I have uninstalled it and now it is working like a charm..! hope this helps atleast someone .. here.